With the recent release of iOS 16.1, Apple noted that CVE-2022-32929 was addressed:
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
Impact: An app may be able to access iOS backups
Description: A permissions issue was addressed with additional restrictions.
CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security
What’s odd is that the wording of the issue indicates that an app on iOS can access backups, but backups are stored on the paired Mac. Csaba confirms in their writeup that the CVE was actually reported for macOS, but doesn’t show up on the Ventura security update page. This is due to how Apple “addressed” the issue.
To fix the issue, Apple now prompts the user for their device passcode prior to the backup occurring. This is problematic for a few reasons: 1) it doesn’t say to what computer the device is being backed up to (and that can probably be spoofed), 2) it decreases the usability of the backup workflow as these are supposed to happen in the background when connected to power, 3) the prompt interrupts any ongoing workflow, 4) doesn’t actually address the CVE which resides in the AppleMobileBackup binary.
In short, this seems like a bandage fix rather than a root cause fix and users will suffer the reduced UX until an actual fix lands in all supported versions of macOS. An interesting thing to note is that this issue likely resides in most, if not all, versions of macOS, so Apple isn’t going to patch all of them. Perhaps the protocol for device backups can be updated to identify the OS of the Mac being used so that additional protections on the iOS side can help protect the user against unpatched machines.